Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CSCD 434 Spring 2012 Lecture 14 Cryptography - Symmetric.

Similar presentations


Presentation on theme: "1 CSCD 434 Spring 2012 Lecture 14 Cryptography - Symmetric."— Presentation transcript:

1 1 CSCD 434 Spring 2012 Lecture 14 Cryptography - Symmetric

2 2 Symmetric Cipher Families Involve using one key for both encryption and decryption Symmetric modern crypto systems have two broad families of methods Stream ciphers Block ciphers

3 3 Block vs. Stream Cipher Block ciphers – Take text, divide it into blocks, and encrypt those blocks – Important part require entire text before they can start encrypting Stream Ciphers – Stream ciphers, treat their input as a data stream and encrypt it on the fly – Don’t need entire blocks, and don’t need entire set of data before they can start encrypting

4 4 Stream Cipher Processes Message bit by bit (as a stream) – Most famous of these is Vernam cipher Also called one-time pad – Invented by Vernam, working for AT&T, in 1917 – Simply add bits of message to random key bits – Need as many key bits as message, difficult in practice – Is unconditionally secure provided key is truly random – Since difficult to distribute so much key For long message, need a lot of key bits Idea to generate keystream from a smaller (base) key Key is expanded to create the keystream – Use some pseudo-random function to do this

5 5 Stream Cipher Basic Idea – Generate pseudorandom sequence of bytes called a keystream – Combined with data using XOR XOR combines two bytes to get one by exclusive or’ ing each bit 00110101 XOR 11100011 = 11010110 Characteristic of XOR – apply same value twice, get original value

6 Stream Ciphers Stream cipher similar to one-time pad – Difference, one-time pad is random – Stream cipher is pseudo random – Encryption should have large period of randomness Longer the period, more difficult to perform cryptoanalysis RC4 based on pseudo random numbers Very simple algorithm

7 Stream Cipher – RC4 Example RC4 was designed by Ron Rivest of RSA Security in 1987 – Officially termed Rivest Cipher 4 – RC4 was initially trade secret, but 1994 description was anonymously posted to Cypherpunks mailing list – Soon posted to many sites on Internet – Leaked code was confirmed to be genuine as its output was found to match that of proprietary software using licensed RC4 Used in SSL and WEP http://en.wikipedia.org/wiki/RC4 7

8 8 RC4 Algorithm Uses XOR XOR 00110101 XOR 11100011 = 11010110 11010110 XOR 11100011 = 00110101 A XOR B = C, C XOR B = A Encryption use of RC4 Plaintext XOR Keysequence = Ciphertext Ciphertxt XOR Keysequence = Plaintext What makes this secure? Same key Same

9 RC4 Key Setup Key setup Algorithm Inputs: 5 to 32 bytes of key, key, stored in permuted form in array, s char s[256] f or i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap(&S[i],&S[j])‏ endfor Initialized with a variable length key, 1 to 256 bytes, usually 40 – 128 bits State vector, S, 0 - 255

10 RC4 Key Setup What this does.... – The RC4 key setup initializes the internal state, S, using a key K of up to 256 bytes – By exchanging two elements of the state in each step, it incrementally transforms the identity permutation into a ”random” permutation

11 Pseudo-random generation algorithm (PRGA)‏ i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap(&S[i],&S[j])‏ output S[(S[i] + S[j]) mod 256] endwhile Byte produced is XOR'd with plaintext For as many iterations as are needed, the PRGA modifies state and outputs a byte of the keystream In each iteration, the PRGA increments i, adds the value of S, exchanges the values of S[i] and S[j], and then outputs the value of S at the location S[i] + S[j] (modulo 256)‏ Each value of S is swapped at least once every 256 iterations

12 RC4 Key Stream RC4 key stream generation algorithm updates the RC4 internal state – Generates one byte of key stream – Key stream is XORed to the plaintext – to finally generate the ciphertext

13 RC4 Problems In 2001, a discovery was made by Fluhrer, Mantin and Shamir – All possible RC4 keys, statistics for first few bytes of output keystream are strongly non- random, leaking information about key – Implementations use an initialization vector (IV) of limited size, implemented by concatenating key with IV Long-term key can be discovered by analyzing a large number of messages encrypted with this key http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf 13

14 Klein’s Attack on WEP In 2005, Andreas Klein presented an analysis of RC4 stream cipher showing more correlations between RC4 keystream and key – Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin used this analysis to create aircrack-ptw, – Paper on this: http://eprint.iacr.org/2007/120.pdf – Tool which cracks 104-bit RC4 used in 128-bit WEP in under a minute!!!! – Whereas Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with 50% probability, or in 85,000 frames with 95% probability 14

15 Final Comment RC4 Problem is not with the algorithm itself Particularly with keys that are long enough Problem is with the generation of keys as input to RC4!

16 Block Ciphers 16

17 17 Block Cipher In block cipher message is broken into fixed size blocks, each of which is then encrypted Most modern ciphers are of this form Contrasts with stream ciphers which encrypt individual bits Block ciphers are based on information theory of Claude Shannon …

18 18 Shannon’s Theory Claude Shannon wrote some pivotal papers on modern cryptology theory in 1949 In these he developed concepts of: – Entropy of a message – variability – Redundancy in language, – Theories about how much information is needed to break cipher – Defined concepts of computationally secure vs. unconditionally secure ciphers

19 19 Shannon’s Theory Substitution-Permutation Ciphers – In his 1949 paper Shannon introduced idea of substitution-permutation (S-P) networks, which now form basis of modern block ciphers http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html – An S-P network is modern form of a substitution-transposition product cipher – S-P networks are based on two primitive cryptographic operations Substitution Permutation

20 20 Shannon’s Theory Substitution-Permutation Network – Shannon noted that two weak but complementary ciphers can be made more secure by applying them together – Combined these two primitives in a structure called product cipher S-Boxes – Provide confusion of input bits P-Boxes – Provide diffusion across S-box inputs

21 21 Diffusion and Confusion Diffusion – Dissipates statistical structure of plaintext over bulk of ciphertext Confusion – Makes relationship between ciphertext and key as complex as possible

22 22 Diffusion and Confusion Introduced by Shannon to thwart cryptanalysis based on statistical analysis – Assume attacker has some knowledge of statistical characteristics of plaintext Cipher needs to completely obscure statistical properties of original message One-time pad also does this

23 23 Implementing S-P Networks Horst Feistel, working at IBM Research Labs devised this structure in early 70's, which we now call a feistel cipher Implemented Feistel Structure has – Identical rounds of processing – Each round, substitution is performed on ½ of data – Then, permutation, exchanges halves – Original key is expanded and a different subkey is used for each round

24 Feistel Cipher Design Principles Block size – Increasing size improves security, but slows cipher Key size – Increasing size improves security, makes exhaustive key searching harder, but may slow cipher Number of rounds – Increasing number improves security, but slows cipher Subkey generation – Greater complexity can make analysis harder, but slows cipher Round function – Greater complexity can make analysis harder, but slows cipher Fast software en/decryption & ease of analysis – More recent concerns for practical use and testing

25 Feistel Cipher Structure – Idea is to partition input block into two halves, L(i-1) and R(i-1), Exchange blocks at each round, i – Have a Function, g, controlled by part of key K(i) and XOR'd to pass on to next stage 25

26 Feistel Cipher Structure g

27 27 Feistel Cipher Structure This can be described functionally as: L(i) = R(i-1) R(i) = L(i-1) (+) g(K(i), R(i-1)) In practice link a number of these stages together (typically 16 rounds) to form the full cipher Feistel structure advantage is encryption and decryption operations are similar, even identical in some cases, requiring only reversal of key schedule Therefore size of code or circuitry required to implement such a cipher is nearly halved Used in DES...

28 28 DES Algorithm DES – In 1970’s US National Bureau of Standards (NIST) recognized general public needed secure encryption technology to protect sensitive information – Historically, US DOD has a strong interest in encryption systems (NSA)‏ – In 1972, NBS (NIST) issued call for proposals for producing a public encryption algorithm

29 29 DES Algorithm Specified following criteria for an encryption algorithm: High level of security Easy to understand Publishable, security does not depend on secrecy of the algorithm Available to all users Efficient to use Exportable

30 30 DES Algorithm Few Organizations responded to NBS call Second announcement in 1974 – IBM responded with Lucifer algorithm – Lucifer used simple logical operations on relatively small quantities – Algorithm could be implemented in either hardware or software on conventional computers – Final algorithm was developed by IBM for NBS Became known as DES Stands for Data Encryption Standard

31 31 DES Algorithm NSA analyzed DES algorithm – Found no serious flaws Became a standard in 1976 – Authorized for use by all public and private sector unclassified communication Eventually, DES was accepted as an international standard

32 32 DES Algorithm Overview of DES DES performs series of bit permutation, substitution, and recombination operations on blocks containing 64 bits of data and 56 bits of key 64 bits of input are permuted initially, and then input to a function using – Static tables of permutations P-boxes – and substitutions S-boxes

33 S-box S-box takes number of input bits, m – Transforms them into number of output bits, n – An m×n S-box can be implemented as a lookup table with 2m words of n bits each – Fixed tables are normally used, DES – Some ciphers tables are generated dynamically from the key – e.g. the Blowfish and the Twofish encryption algorithms. 33

34 S-box One good example is this 6×4-bit S-box from DES (S5): See Wikipedia for this example http://en.wikipedia.org/wiki/Substitution_box 34

35 35 DES Algorithm Cycles – Break permuted data into two halves, 32 bits each – Key gets transformed Key shifted left by some number and permuted Key bits get dropped so only 48 bits used – Right half of data expanded to 48 bits – duplicates certain bits – Right half combined with 48 bits of key – Result is substituted for another result and condensed to 32 bits – 32 bits are permuted and then combined with left half to yield a new right half

36 36 DES Algorithm Cycles – Process iterated 16 times (rounds), each time with different set of tables and different bits from key – Algorithm then performs final permutation, and 64 bits of output are provided

37 37 Right Half of Text 32 Combine Key Key – shifted 56 bits Substitute Permute Add halves New Right Half Text New Left Half Text Left Half of Text 32 Repeat 16 times DES Algorithm Key – Permuted 48 bits Expand and Permute 48 bits dropped P-Boxes S-Boxes

38 38 DES Algorithm Decryption – Decryption uses the same algorithm and same secret key – Reversible process – Same function used but keys must be taken in reverse order (k16, k15,....k1)‏

39 39 DES Algorithm Double DES – DES key is fixed at 56 bits – Not considered long by today’s standards – Wanted to increase key length of DES but can’t DES algorithm is fixed at 56 bits Researchers suggested doubling DES algorithm for greater security Take two keys instead of 1 and perform two encryptions

40 40 DES Algorithm Double DES Should in theory multiply difficulty making it harder to break – Like two locks! However, two researchers, Diffie and Hellman showed that two encryptions are not better than one – Strength of cipher is usually exponential in size of key – So doubling key actually should square complexity 2 112, – But applying DES encryption twice at best doubles complexity so only get 2x2 56= 2 57 However, Triple DES does work!

41 41 Double DES Because message encrypted with DES can be forcibly decrypted by an attacker performing an exhaustive key search today, an attacker might also be able to forcibly decrypt a message encrypted with Double DES using a meet-in-the- middle attack at some point in the future “2 57 is still considerably more memory storage than one could comfortably comprehend, but it's enough to convince the most paranoid of cryptographers that double encryption is not worth anything," Bruce Schneier from Applied Cryptography

42 42 DES Algorithm Triple DES Using two keys, you apply them in 3 operations which adds strength You encrypt with one key, decrypt with the second key and encrypt with the first key again Three applications of the DES algorithm but it only doubles the effective key length – 112 bit key which is very strong against all feasible known attacks!

43 43 DES Algorithm How strong is DES? DES has been questioned by analysts In 1990, Biham and Shamir invented technique called differential cryptanalysis, that investigates change in algorithm strength when a crypto algorithm changes Looked at DES and showed that any change to the algorithm weakens it – Change iterations from 16 to 15, change expansion or substitution rules and weakened algorithm could be broken

44 44 DES Algorithm How Strong is DES? Diffie and Hellman argued that DES key length wasn’t strong enough given that computers will be increasing in processing power In 1997, researchers using over 3500 machines in parallel were able to infer DES key in 4 months In 1998, researchers built DES cracker machine funded by Electronic Freedom Foundation and found DES key in 4 days – Triple DES was still beyond power of these machines – But it was clear that stronger algorithm was needed

45 DES Cracked in a Few Days The EFF's US $250,000 DES cracking machine contained 1,536 custom chips and could brute force a DES key in a matter of days — the photo shows a DES Cracker circuit board fitted with several Deep Crack chips http://en.wikipedia.org/wiki/EFF_DES_cracker 45 Deep Crack chips are 1856 custom ASIC DES chips The entire machine was capable of testing over 90 billion keys per second

46 46 AES Algorithm AES, the Beginning – In 1997, NIST did another call for proposals – Wanted an algorithm with these qualities: – Unclassified – Publicly disclosed – Available royalty-free for use worldwide – Symmetric block cipher algorithms » For blocks of 128 bits – Usable with key lengths of 128, 192 and 256 bits

47 47 AES Algorithm AES, the Beginning In 1999, five finalists were selected, underwent intense public and private scrutiny Looked at security but also at cost or efficiency, ease of implementation in software Winning algorithm submitted by two Belgian cryptographers – Vincent Rijmen and Joan Daemon Became known as the Rijndahl algorithm Called AES and was adopted in 2001 – Became Federal Information Processing Standard 197 (FIPS 197)‏ VincentRijmen Joan Daemon

48 48 AES Algorithm Overview of Rijndael Fast algorithm – Can be implemented on simple processor Uses substitution and transposition plus shift, XOR and addition operations Uses repeat cycles – called rounds in Rijndael Each cycle consists of 4 steps

49 49 AES Algorithm Overview AES – Each cycle has four steps 1. Byte substitution – Uses byte substitution box structure similar to DES – Substituting each byte of a 128 bit block according to a substitution table 2. Shift Row – Transposition step – For 128 and 192 bit block sizes, row n is shifted left circular (n-1) bytes – For 256 bit blocks, row 2 is shifted 1 byte and rows 3 and 4 are shifted 3 and 4 bytes respectively

50 50 AES Algorithm 3. Mix Columns – Shifting left and Xoring the bits with themselves 4. Add subkey – Portion of key unique to this cycle is Xor’ed with cycle result – Steps perform both confusion and diffusion on input data – Bits from key are combined with intermediate results frequently so key bits will be well diffused

51 51 Rijndael

52 52 AES Algorithm Compare DES and AES When evaluating DES, asked two questions.. 1) How strong is DES, any backdoors? 2) How long until encrypted code could be routinely cracked – In 20 years research has not found any major flaws in DES – Changes appear to weaken algorithm – DES does have a fixed key size

53 53 AES Algorithm Compare DES and AES Same questions for AES... – AES algorithm defined with 128, 192 and 256 key lengths – Start with key size more than double that of DES – AES more flexible Can extend the cycle number Can change other aspects of algorithm without weakening it

54 54 References RC4 http://www.wireless-center.net/print/2209.html DES General http://www.unix.org.ua/orelly/networking/puis/ch06_04.htm Double Strength Research DES R. C. Merkle and M. Hellman, "On the Security of Multiple Encryption," Communications of the ACM, Volume 24, Number 7, July 1981, pp. 465- 467 DES - How it works with Diagrams http://accessscience.com/content/Cryptography/170600 DES Strength Hellman, M. 1979. "DES will be totally Insecure in 10 years", IEEE Spectrum, V16, 7, Jul. 1979, pp. 32-39 AES Animated – Very cool http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

55 55 The End Next Time Use of Crypto products we know and love!!!


Download ppt "1 CSCD 434 Spring 2012 Lecture 14 Cryptography - Symmetric."

Similar presentations


Ads by Google